So, having some fun today, trying to get a javascript in a docker container
to speak to FreeIPA via LDAPS.
I made sure that the key was inserted into the store,
(aba-idam:/etc/ipa/ca.crt), and ensured that an ldap user was created for
ldap binding (coincidentally I used "binding").
I also added a user in ipa called ddfusr, and set its password, and logged
in via kinit to ensure that we could check it.  it is available, and is
able to log in and getent its information, not to mention I can see it has
Kerberos info and all that jazz.

So, based on the ldif, we entered the data we expect to be able to log in
with into the java script.  And so we get back an error=32.

What am I missing here?

Information included here:

LDASEARCH RESPONSE binding
# ldapsearch -x uid=binding
        # extended LDIF
        #
        # LDAPv3
        # base <dc=aba,dc=house,dc=com> (default) with scope subtree
        # filter: uid=binding
        # requesting: ALL
        #

        # search result
        search: 2
        result: 0 Success

        # numResponses: 1

LDAPSEARCH RESPONSE ddfusr
# ldapsearch -x uid=ddfusr
        # extended LDIF
        #
        # LDAPv3
        # base <dc=aba,dc=house,dc=com> (default) with scope subtree
        # filter: uid=ddfusr
        # requesting: ALL
        #

        # ddfusr, users, compat, aba.house.com
        dn: uid=ddfusr,cn=users,cn=compat,dc=aba,dc=house,dc=com
        cn: ddf user
        objectClass: posixAccount
        objectClass: top
        gidNumber: 1043600007
        gecos: ddf user
        uidNumber: 1043600007
        loginShell: /bin/sh
        homeDirectory: /home/ddfusr
        uid: ddfusr

        # ddfusr, users, accounts, aba.house.com
        dn: uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=house,dc=com
        displayName: ddf user
        uid: ddfusr
        objectClass: ipaobject
        objectClass: person
        objectClass: top
        objectClass: ipasshuser
        objectClass: inetorgperson
        objectClass: organizationalperson
        objectClass: krbticketpolicyaux
        objectClass: krbprincipalaux
        objectClass: inetuser
        objectClass: posixaccount
        objectClass: ipaSshGroupOfPubKeys
        objectClass: mepOriginEntry
        objectClass: ipauserauthtypeclass
        loginShell: /bin/sh
        initials: du
        gecos: ddf user
        sn: user
        homeDirectory: /home/ddfusr
        givenName: ddf
        cn: ddf user
        uidNumber: 1043600007
        gidNumber: 1043600007

        # search result
        search: 2
        result: 0 Success

        # numResponses: 3
        # numEntries: 2

KLIST RESPONSE
# klist
        Ticket cache: KEYRING:persistent:0:krb_ccache_wtB5z4N
        Default principal: ddf...@aba.house.com

        Valid starting       Expires              Service principal
        08/12/2016 11:56:17  08/13/2016 11:56:14
krbtgt/aba.house....@aba.house.com


GETENT RESPONSE
# getent passwd ddfusr
        ddfusr:*:1043600007:1043600007:ddf user:/home/ddfusr:/bin/sh


LDAP-MODULE.XML
        <jaas:config name="karaf" rank="1">
                <jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
                                        flags="required">
                  initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
                  connection.username=cn=binding
                  connection.password=password!
                  connection.url=ldaps://aba-idam.aba.house.com:636
                  user.base.dn=cn=users,cn=accounts,dc=aba,dc=house,dc=com
                  user.filter=(uid=%u)
                  user.search.subtree=true
                  role.base.dn=cn=JBoss,dc=aba,dc=house,dc=com
                  role.name.attribute=cn
                  role.filter=
(member=uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com)
                  role.search.subtree=true
                  role.mapping=admin=group,admin,manager,viewer,webconsole
                  authentication=simple
                  ssl.protocol=SSL
                  ssl.truststore=truststore
                  ssl.algorithm=PKIX
                </jaas:module>
        </jaas:config>

        <jaas:keystore name="truststore"
                        path="file:${javax.net.ssl.trustStore}"
                        keystorePassword="${javax.net.ssl.trustStorePassword}" 
/>

JAVA LOG FILE:
        2016-08-12 11:10:27,174 | WARN  | d]-nio2-thread-5 | LDAPLoginModule
| 116 - org.apache.karaf.jaas.modules - 4.0.4 | Can't connect to the LDAP
server: [LDAP: error code 32 - No Such Object]
        javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
Object]
                        at com.sun.jndi.ldap.LdapClient.authenticate
(LdapClient.java:295)[:1.8.0_65]
                        at com.sun.jndi.ldap.LdapCtx.connect
(LdapCtx.java:2788)[:1.8.0_65]
                        at com.sun.jndi.ldap.LdapCtx.<init>
(LdapCtx.java:319)[:1.8.0_65]
                        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL
(LdapCtxFactory.java:192)[:1.8.0_65]
                        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs
(LdapCtxFactory.java:210)[:1.8.0_65]
                        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance
(LdapCtxFactory.java:153)[:1.8.0_65]
                        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext
(LdapCtxFactory.java:83)[:1.8.0_65]
                        at javax.naming.spi.NamingManager.getInitialContext
(NamingManager.java:684)
                        at javax.naming.InitialContext.getDefaultInitCtx
(InitialContext.java:313)[:1.8.0_65]
                        at javax.naming.InitialContext.init
(InitialContext.java:244)[:1.8.0_65]
                        at javax.naming.InitialContext.<init>
(InitialContext.java:216)[:1.8.0_65]
                        at javax.naming.directory.InitialDirContext.<init>
(InitialDirContext.java:101)[:1.8.0_65]
                        at org.apache.karaf.jaas.modules.ldap.LDAPCache.open
(LDAPCache.java:113)[116:org.apache.karaf.jaas.modules:4.0.4]
                        at
org.apache.karaf.jaas.modules.ldap.LDAPCache.doGetUserDnAndNamespace
(LDAPCache.java:147)[116:org.apache.karaf.jaas.modules:4.0.4]
                        at
org.apache.karaf.jaas.modules.ldap.LDAPCache.getUserDnAndNamespace
(LDAPCache.java:138)[116:org.apache.karaf.jaas.modules:4.0.4]
                        at
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin
(LDAPLoginModule.java:110)[116:org.apache.karaf.jaas.modules:4.0.4]
                        at
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login
(LDAPLoginModule.java:54)[116:org.apache.karaf.jaas.modules:4.0.4]
                        at org.apache.karaf.jaas.boot.ProxyLoginModule.login
(ProxyLoginModule.java:83)[org.apache.karaf.jaas.boot-4.0.4.jar:]
                        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)[:1.8.0_65]
                        at sun.reflect.NativeMethodAccessorImpl.invoke
(NativeMethodAccessorImpl.java:62)[:1.8.0_65]
                        at sun.reflect.DelegatingMethodAccessorImpl.invoke
(DelegatingMethodAccessorImpl.java:43)[:1.8.0_65]
                        at java.lang.reflect.Method.invoke
(Method.java:497)[:1.8.0_65]
                        at javax.security.auth.login.LoginContext.invoke
(LoginContext.java:755)[:1.8.0_65]
                        at javax.security.auth.login.LoginContext.access$000
(LoginContext.java:195)[:1.8.0_65]
                        at javax.security.auth.login.LoginContext$4.run
(LoginContext.java:682)[:1.8.0_65]
                        at javax.security.auth.login.LoginContext$4.run
(LoginContext.java:680)[:1.8.0_65]
                        at java.security.AccessController.doPrivileged(Native
Method)[:1.8.0_65]
                        at javax.security.auth.login.LoginContext.invokePriv
(LoginContext.java:680)[:1.8.0_65]
                        at javax.security.auth.login.LoginContext.login
(LoginContext.java:587)[:1.8.0_65]
                        at
org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate
(KarafJaasAuthenticator.java:78)
                        at
org.apache.sshd.server.auth.UserAuthKeyboardInteractive.checkPassword
(UserAuthKeyboardInteractive.java:75)[1:org.apache.sshd.core:0.14.0]
                        at
org.apache.sshd.server.auth.UserAuthKeyboardInteractive.doAuth
(UserAuthKeyboardInteractive.java:68)[1:org.apache.sshd.core:0.14.0]
                        at org.apache.sshd.server.auth.AbstractUserAuth.next
(AbstractUserAuth.java:53)[1:org.apache.sshd.core:0.14.0]
                        at
org.apache.sshd.server.session.ServerUserAuthService.process
(ServerUserAuthService.java:159)[1:org.apache.sshd.core:0.14.0]
                        at
org.apache.sshd.common.session.AbstractSession.doHandleMessage
(AbstractSession.java:431)[1:org.apache.sshd.core:0.14.0]
                        at
org.apache.sshd.common.session.AbstractSession.handleMessage
(AbstractSession.java:326)[1:org.apache.sshd.core:0.14.0]
                        at org.apache.sshd.common.session.AbstractSession.decode
(AbstractSession.java:780)[1:org.apache.sshd.core:0.14.0]
                        at
org.apache.sshd.common.session.AbstractSession.messageReceived
(AbstractSession.java:308)[1:org.apache.sshd.core:0.14.0]
                        at
org.apache.sshd.common.AbstractSessionIoHandler.messageReceived
(AbstractSessionIoHandler.java:54)[1:org.apache.sshd.core:0.14.0]
                        at org.apache.sshd.common.io.nio2.Nio2Session
$1.onCompleted(Nio2Session.java:184)[1:org.apache.sshd.core:0.14.0]
                        at org.apache.sshd.common.io.nio2.Nio2Session
$1.onCompleted(Nio2Session.java:170)[1:org.apache.sshd.core:0.14.0]
                        at org.apache.sshd.common.io.nio2.Nio2CompletionHandler
$1.run(Nio2CompletionHandler.java:32)
                        at java.security.AccessController.doPrivileged(Native
Method)[:1.8.0_65]
                        at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed
(Nio2CompletionHandler.java:30)[1:org.apache.sshd.core:0.14.0]
                        at sun.nio.ch.Invoker.invokeUnchecked
(Invoker.java:126)[:1.8.0_65]
                        at sun.nio.ch.Invoker$2.run(Invoker.java:218)[:1.8.0_65]
                        at sun.nio.ch.AsynchronousChannelGroupImpl$1.run
(AsynchronousChannelGroupImpl.java:112)[:1.8.0_65]
                        at java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java:1142)[:1.8.0_65]
                        at java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java:617)[:1.8.0_65]
                        at java.lang.Thread.run(Thread.java:745)[:1.8.0_65]


RH IDM ACCESS LOG FILE
        [12/Aug/2016:11:05:34 -0500] conn=850 fd=112 slot=112 SSL connection
from 172.17.4.64 to 172.17.4.20
        [12/Aug/2016:11:05:34 -0500] conn=850 TLS1.2 256-bit AES-GCM
        [12/Aug/2016:11:05:34 -0500] conn=850 op=0 BIND dn="cn=binding"
method=128 version=3
        [12/Aug/2016:11:05:34 -0500] conn=850 op=0 RESULT err=32 tag=97
nentries=0 etime=0
        [12/Aug/2016:11:05:34 -0500] conn=850 op=-1 fd=112 closed - B1

Michael Sean Conley
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to